Pix506 can't access some ip's

[rbnstudio]

I just implemented a Pix506.

No NAT used. Means public ip's on the Pix's internal interface.

But some of the ip'a on the internal interface of the Pix cannot be reached from outside...
I have totally opened for ICMP packets. And the access-lists has "any" "any" in source/destination.

The external interface of the PIX is connected to a Cisco 1720 router....From the router console I cannot ping all of the hosts.

But from the Pix console I can ping all the hosts.

What can cause this?

Is it a problem with ARP cache/timeout?

Any suggestions would be appreaciated.

 

[yizhar]

HI.

Check ip routing - The pix should be the default gateway of all internal hosts.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rbnstudio]

I have checked this! It's set correct.
All servers has the Default gw set to the Pix's internal interface ip.

My setup is like this, without NAT

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/examples.htm#xtocid1

Could it be the static paramter that is missing?
Or is this not required when not using NAT?

 

[yizhar]

HI.

Use Syslog messages to debug.
Example:

logging on
log buffer 5
show log
... Try to ping now ...
show log

(You can use "clear log" if you wish).


When not using nat, you MUST have this or similar command
nat (inside) 0 0 0
Otherwise only hosts with static mapping will be accessible.
Also the router must have a correct route to the internal network (pointing to the pix outside interface).

How did you open ICMP (what commands)?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rbnstudio]

HI,

I have the NAT commando:
nat (inside) 0 xxx.xxx.xxx.0 255.255.255.224 0 0

xxx.xxx.xxx.0 is my subnet

So the static commando should not be needed then?

I have the following in the access-list
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any echo
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 [Routers IP] 1

 

[rbnstudio]

I've now tried to watch what happens by turning log on.

After the Pix has been restarted and I try to ping from outside to one of the servers on the internal interface, this appears in the log:

106010: Deny inbound icmp src outside:xxx.xxx.xxx.xxx dst inside: xxx.xxx.xxx.xxx (type 8, code0)

How ever, if I then go the internal server, (which could not be pinged), and then try to ping something out through the pix, I can then ping this internal server from outside...

I don't think it's just some ip's that I cannot access from the outside (as I wrote in the beginning). I think it's all of them, as long as they havent't sent any traffic out....It's like the PIX will not allow anything in to a ip, as long as this ip has not sent anything out....

The problem is 100% in the PIX, because I've tried booting the server, connected directly to the PIX wihthout my Switch.

After the PIX has been rebooted I have the problem again, cannot connect in to that ip as long as this ip hasn't sent out through the PIX.

Any ideas?

 

[yizhar]

HI.

* You might need to add STATIC entries even without nat.
Read all the info about STATIC command here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

* Try some TCP tests instead of ICMP.
Try accessing the open ports of your server from the outside.
What happens?

* Try using this instead of specific ICMP type for the testing proccess:
access-list outside_access_in permit icmp any any

* Try for the test proccess to allow ICMP to the pix own interfaces. It does not seem related but just try to be sure, then later block them again:

icmp permit any any

* Recheck your ip addressing and routing setup. Is everything "by the book"?


Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rbnstudio]

Yes, It was the static command that was missing.
It seems a bit strange since the static command does not figure at all in the Cisco examples on how to configure without NAT.